Landmark online privacy legislation introduced in Senate

WASHINGTON -- Internet privacy is shaping up as the consumer issue of the year in Congress, as evidenced by new legislation introduced with bipartisan support from two former presidential candidates.

The Commercial Privacy Bill of Rights introduced Tuesday by Sens. John F. Kerry, D-Mass., and John McCain, R-Ariz., includes measures to address consumer concerns that their sensitive information could be misused.

It stops short, however, of a "do-not-track" provision sought by privacy advocates that would block companies from tracking Americans' online activity.

Backers said the bill would enact the first comprehensive protections for consumers' digital data transmitted from computers, smartphones or other devices, and place new limitations on how companies such as Google Inc. and Facebook Inc. handle the information.

"Right now there is no law protecting the information that we share," Kerry told reporters. "Companies can harvest our personal information online and keep it for as long as they like it.

"They can sell it without asking permission or even letting you know that they're selling your own information," he said. "You shouldn't have to be a computer genius in order to be able to opt out of information sharing."

The legislation follows a recent call from the Obama administration for Congress to take action on the issue and comes after a Federal Trade Commission settlement with Google last month that imposes tough new privacy restrictions on the Internet giant.

"This is not a fringe issue," said Peter Swire, an Ohio State University law professor and former privacy official in the Clinton administration. "There's bipartisan support from national leaders to do something here."

Commerce Secretary Gary Locke said the Obama administration was still reviewing the bill, but was pleased it incorporated some key principles they had been advocating. There also is support from some major technology companies, such as Microsoft Corp. and eBay Inc., because the legislation is less restrictive than what other lawmakers have proposed.

Some consumer groups are offering tentative backing, as well, even though the legislation does not include tougher provisions many have advocated.

One they are still pushing is a requirement for a do-not-track mechanism in Web browsers that would give people the ability to stop companies from tracking their online movements.

Legislation to impose such a requirement, which would be similar to the do-not-call list for telemarketers, has been introduced in Congress and the California legislature.

Kerry and McCain said one of the goals of their bill was to strike the right balance to avoid squelching the Internet economy.

"Our bill seeks to respect the ability of businesses to advertise and market and recruit new customers while also respecting consumers' personal information," McCain said. "But consumers must have control over how their data is used when it is transferred to an unknown third party."

The legislation would give consumers new rights concerning their online data. It also requires companies to take steps to protect the information and obtain permission to share it.

Companies that collect consumer data would have to clearly explain their practices. Those would include requiring consumers to provide clear consent - known as opting in - for the collection of "sensitive, personally identifiable information."

Companies also would have to allow consumers either to access and correct their information or request that the information not be used or distributed.

But in exchange for those restrictions, companies would get several benefits.

They would be shielded from private lawsuits to enforce the new restrictions. State attorneys general would have to back off enforcing the legislation if the FTC steps in to take action against a violator. And the FTC would be empowered to approve so-called safe-harbor programs - voluntary efforts that companies could design to comply with the legislation and be exempt from some requirements and liability.

Microsoft, eBay, Intel Corp. and Hewlett-Packard Co. issued a joint statement of support for the legislation, saying it "strikes the appropriate balance by providing businesses with the opportunity to enter into a robust self-regulatory program."

Google and Facebook were less enthusiastic. They said they were committed to protecting consumers' privacy and wanted to see how the legislation evolves as lawmakers consider it.

"We think this is a good first step and we look forward to working with them to improve their bill," Facebook spokesman Andrew Noyes said.

But some major privacy advocates said the bill fell far short. They were particularly upset that it did not include a do-not-track requirement. Kerry and McCain said they anticipated that other senators might try to add such a requirement, but they felt the opt-in requirements on companies were sufficient to protect consumer information.

Those provisions aren't enough, said Jeff Chester, executive director of the Center for Digital Democracy. He joined four other privacy advocates in writing Tuesday to Kerry and McCain, urging them to make their bill tougher.

But Joel Reidenberg, academic director of the Center on Law and Information Policy at Fordham University, said the legislation is a "major advance" in the push for greater online privacy protections and has a real chance of becoming law.